HTTP Request Smuggling

HTTP request smuggling exploits discrepancies between how a front-end server (load balancer, reverse proxy, CDN) and a back-end server determine the boundaries of HTTP requests. By crafting ambiguous requests where Content-Length and Transfer-Encoding headers disagree, an attacker can cause the front-end and back-end to disagree on where one request ends and the next begins.

This allows attackers to "smuggle" a request that the front-end treats as part of a legitimate request but the back-end interprets as a separate, malicious request. The smuggled request can bypass security controls, poison web caches, hijack other users' requests, or exploit reflected XSS vulnerabilities without user interaction.

Variants include CL.TE (front-end uses Content-Length, back-end uses Transfer-Encoding), TE.CL (reverse), and TE.TE (different Transfer-Encoding parsing). HTTP/2 downgrade smuggling is a newer variant affecting H2-to-H1 proxying.

How APVISO tests for this: APVISO's scanner agent sends carefully crafted ambiguous HTTP requests to detect CL.TE, TE.CL, and TE.TE smuggling variants. It uses timing-based detection techniques to identify desync without causing disruption to other users.